Feature Article
Mark Pribish
How Safe is Your Password?
By Mark Pribish
Vice President and ID Theft Practice Leader

Over two years ago, I wrote an article on password management and how "no password is unbreakable" and how every individual should be aware of and responsible for good/strong password management (please see the article here).

Since that time, there have been a number of recent password related data breaches including LinkedIn (see the PC World article here ), eHarmony (see The Register article here) and Twitter (see the Information Week article here) - with all three social media data breaches taking place in the last two months.

Unfortunately, most people fail to realize the inherent risk of using the same password on multiple websites including banking and financial services, health/medical services, internet services, tax preparation services, and social media websites - so whenever your password is stolen it could be used to access your bank account, medical records, email, and other accounts.

So let's talk about the LinkedIn data breach event as I still have some questions on how the world's largest professional social media network can be so vulnerable to a hacking event and subsequent data breach.

I asked my esteemed colleague, Michael Mortensen, the VP of Information Technology at Phoenix based Merchants Information Solutions, Inc. to provide some of his observations and comments.

According to Mr. Mortensen, there has been a lot of discussion of this breach in the media, especially the online media. Others have already given some sound advice for those who might be at risk. He too strongly encourages all LinkedIn users to immediately change their LinkedIn passwords. Taking this step alone, however, doesn't go nearly far enough and he explains why below.

"Imagine the scenario in which hacking the LinkedIn accounts was not the goal but rather one step toward a larger goal (emptying your personal bank accounts, your investment accounts, your company's accounts, etc.). Serious hackers understand the human tendency to avoid having to remember too many things (like different passwords for everything). A great many people attempt to simplify their lives by using the same password for all of their online activities. If you are one of these people and have online access to money, either your own or your company's, you are a prime target for this hack. Once your LinkedIn password is hacked, the hackers know who you are, where you work, your title and job responsibilities, the city where you live, and many other useful tidbits of information that you have so conveniently included in your profile (the full profile, not just the public profile). Armed with your common password and what they have learned about you from your LinkedIn profile and contacts, they are now several steps closer to your bank and investment accounts.

So, while you are busy changing your LinkedIn password. Don't forget to update the password on all of your other online accounts and make sure each account has its own unique password. Failing to do so could cost you far more than disclosing to whom you are connected."

The above comments lead me to mention the Verizon 2012 Data Breach Investigations Report (see the report here) which reported that poor password management was the root cause of many 2011 data breaches.

The Verizon report - which focuses on business data breach events and information security and governance - stated that "hackers are scanning the Internet for easily guessable passwords."

That said, here are my four lessons learned from the recent LinkedIn, eHarmony and Twitter data breach events:

  1. Hackers are exploiting stolen passwords to trick users into downloading malware which can be a threat to personal and business financial and private data.
  2. No one company can ever prevent an individual from becoming an ID Theft victim and no one business can ever prevent itself from experiencing a data breach.
  3. Everyone, and I mean everyone – ranging from individual consumers to small, medium and large businesses – including companies such as Sony, AOL, Facebook, Google, and Monster.com, (all of which has experienced one or more data breach events) are open to the attack of a hacker's code.
  4. Do not use the same password for all of your accounts or share passwords and be proactive in changing your password every 60 days.

To learn more about these threats and how to protect yourself and your family from Identity Theft, you can read my past newsletters at the Merchants Identity Theft Educational Website at www.idtheftedu.com.


Scam Central

Thanks for paying my bills, Mr. President!

For most people, paying bills is not really the happiest time of the month. Watching your hard-earned money disappear in the click of a mouse button or the writing of a check can be hard. In a matter of minutes one can see their bank account drop significantly. Unfortunately, there is not much we can do about it. We all have bills to pay, and some more than others. The types of bills vary as much as one person varies from another. Some people have car payments while others do not. Some people have cable bills, while others do not. However, there is one monthly bill that everyone who pays a mortgage or rent has in common though, utility bills.

If you happen to live in the desert like me, you know that the summer months can be brutal on your utility bill. Air conditioning units seem to run continually throughout the day, and on through the night. Given the chance to have your monthly bills lowered or perhaps paid entirely by someone else, including the government, is as welcome as a cool autumn breeze. Some people have been receiving emails, text and tweets stating that there is government money to help pay your bills. But beware! That cool breeze will quickly turn into the hot air it really is.

How It Works:

A recent Scam Alert by Robert Longley (see his Scam Alert here) informs us that many people are receiving the special tweets, text messages and emails announcing that the government has a special fund for citizens to help pay their utility bills. All you need to surrender in exchange is some personal information, which includes your Social Security Number (SSN), and your bank account's routing number. In exchange for this information, you will receive a special Federal Reserve bank routing number that can be used to pay your utility bill online. That money will allegedly come from a special fund that the good President has setup to help struggling citizens pay their bills.

Just to be clear, there is no special fund setup to help you pay your utility bill, or any other bill for that matter. If you have fallen victim to this scam, you have just given a clever identity thief the information they need to quickly empty your bank account, and you have now used a bogus bank account to pay your utility bill which may subject you to late fees or loss of service, or both.

Your Defense:

Never fall for this type of scam. If you receive any unsolicited emails, texts, tweets or perhaps phone calls informing you about special government assistance, delete them immediately or hang up the phone. Do not pass the information on to others, and certainly do not reply to or follow any links provided in an unsolicited email. If you receive a phone call, call your local utility company and either verify or report the information. If the offer is a legitimate one, the local utility company will know.

While the average person would like to believe that the government would help them pay their bills out of the kindness of their hearts, it just is not going to happen. There are several legitimate Federal assistance programs available for those who are struggling due to loss of job, disabilities, etc., but this is not one of those programs. To find out which government benefits you may be eligible for, visit www.benefits.gov or Catalog of Federal Domestic Assistance (www.cfda.gov). Always be judicious in how and when you give out your Personally Identifiable Information (PII).

If you believe your identity has been stolen, call 866.SMART68 today.